[R-sig-DB] Parameterised queries
Hannes Mühleisen
H@nne@@Mueh|e|@en @end|ng |rom cw|@n|
Wed Feb 11 15:39:19 CET 2015
Hi Hadley and list,
> On 11 Feb 2015, at 15:01, Hadley Wickham <h.wickham using gmail.com> wrote:
> As part of my work modernising R's database connnectors, I've been
> working on improving the support for parameterised queries. I'd love
> to get your feedback on the API I'm proposing.
>
> The goal is to encourage people to use parameterise queries instead of
> pasting together SQL strings because it is much safer (no worries
> about SQL injection attacks) and somewhat more performant (becuase the
> database only needs to parse the query once).
Makes a lot of sense, yes. MonetDB.R has had support for this from day one. Our syntax uses the list of parameters approach, e.g.
dbSendUpdate(conn, "INSERT INTO sometable (a) VALUES (?)", “foobar”)
of course, the parameter can be a vector, in which case the query is executed multiple times.
Generally, I would be in favour of the “list of params” approach. Also, please note that the “bind by name” is not supported by all databases. Sticking to position-only parameter binding using ? would be most compatible (also used in JDBC for example).
Best,
Hannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4154 bytes
Desc: not available
URL: <https://stat.ethz.ch/pipermail/r-sig-db/attachments/20150211/86267552/attachment.p7s>
More information about the R-sig-DB
mailing list